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REMARKS/ARGUMENTS 

This Reply is being filed in response to the second non-final Official Action of October 
11, 2005, in which independent Claims 1, 7 and 13 stand rejected under 35 U.S.C. § 102(e) as 
being anticipated by U.S. Patent No. 5.224,163 to Gasser et al. As explained below, however. 
Applicant respectfully submits that the claimed invention is patentably distinct from Oasser, and 
accordingly traverses the rejection of the claims as being anticipated thereby. In view of the 
following remarks. Applicant respectfully requests reconsideration and allowance of all of the 
pending claims of the present application. 

Initially, Applicant notes the Official Action's failure to substantively treat any of 
dependent Claims 2-6, 8-12 and 14-18. Accordingly, and by virtue of the failure of Gasser to 
teach or suggest any of the features claimed thereby. Applicant presumes that dependent Claims 
2-6, 8-12 and 14-1 8 are allowable, and therefore respectfully requests an indication of such in the 
next Official Action. 

As to the rejection of independent Qaims 1, 7 and 13, Applicant notes that the Gasser 
patent discloses a system and method for delegating authorization from one entity to another 
within a distributed network. In those passages cited in the Official Action as disclosing the 
claimed invention, a user P (user principal) may initiate a computing session by authenticating to 
a workstation Wl (system principal), and vice versa. In many situations during a computing 
session, after the user and workstation authenticate to one another, the user may desire to access 
the resource of another destination workstation Ws (system principal) in a maoner requiring 
communication via one or more intemiediary workstations W2 (system principals). In such 
instances, authority of the user to access the resource of the destination workstation may be 
established via a chained delegation of authority of the user through the intemiediary 
workstations to the destination workstation, which certifies the user^s authority via delegation 
certificates of each intermediary workstation back to the user. 

As more particularly disclosed by Gasser, to access the resource of a workstation Ws via 
a workstation Wl and an intermediary workstation W2, the user (or smart card associated with 
the user) signs a delegation certificate Dl indicating that workstation Wl is authorized to speak 
for the user, and provide, the delegation certificate DI to workstation WL In turn, workstation 
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Wl itself signs a delegation certificate D2 indicating tiiat workstation W2 is auAorized to speak 
for workstation Wl, and provides both delegation certificates Dl and D2, as i?nell as an 
authentication certificate of user P, to workstation W2. Workstation W2 Aen requests access to 
the resource of workstation Ws using delegation certificates Dl and D2, and iJie authentication 
certificate of user P, to establish the authority of user P (via workstations Wl and W2) to access 
the resource of workstation Wg. 

As previously explained, in accordance with one aspect of the claimed invention of the 
present application, as currently recited by independent Claim 1, a system is provided that 
includes a terminal, a secondary certification authority (CA), a tertiary CA and a server. As 
recited, the terminal is included within an organization including a plurality ol terminals, where 
at least one terminal has at least one characteristic and is at one or more of a plurality of 
positions within an organization. The organization includes a plurality of secondary CA's 
capable of issuing role certificates to respective groups of terminals of the organization, and 
includes a plurality of tertiary CA's c£q)able of issuing permission certificates to respective sub- 
groups of terminals of the organization- In this regard, the secondary CA is ciq)able of providing 
at least one role certificate to the tentiinal based upon the position of the terminal within the 
organization. The tertiary CA, on the other hand, is capable of providing at least one permission 
certificate to the terminal based upon the characteristics of the respective terminals Thus, the 
server is capable of authenticating the terminal based upon an identity certificate, the role 
certificate and the permission certificate of the terminal to thereby determine whether to grant the 
terminal access to at least one resource of the server. 

As described above, Gasser and the claimed invention both generally l elate to use of 
certificates to auttienticate a computing device. In contrast to independent CLdm 1 , however, 
Gasser does not teach or suggest (i) a secondary CA providing role certificate (g) tn a |£rminfll, 
based upon positionfs^ of the temiinal within an organization; (ii) a tertiary C A providing 
pemiission oertificatefs') to the temiinal based upon characteristicfs^ of the terminal at a position 
in the organization; and (iii) a server authenticating the terminal based upon an identity 
certificate, the loie cerrificatefs't and the permission certificatefsX 
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A. Providing Role Certijicate(s) 

The Official Action appears to assert that Gasser's disclosure directed Lo providing a user 
with a siaart card for authenticating the user corresponds to the recited feature of providing role 
certificate(s) to ateminal (aforementioned feature (i)), citing column 12, lines 43-66 of Gasser. 
As further disclosed by that passage of Gasser, upon providing the user with tlie smart card, the 
smart card issues information to a workstation such that the workstation retrieves certificates 
based on the information, and authenticates the user based upon those certificates. Even if one 
could interpret these disclosed certificates being provided to a workstation as corresponding to 
providing certificates to a terminal, as recited by the claimed invention, nowhere does Gasser 
teach or suggest that those certificates correspond to role certificate(s) provided based upon 
position(s) of the workstation within an organization, as also recited by the ckiimed invention. In 
fajct, Gasser does not teach or suggest any basis for the provision of those certificates other than 
to authenticate the user to access resources of the workstation. Even considering this basis, 
however, the certificates are provided to the workstation iixespective of the wDxkstation's 
position in an organization. 



B. Providing Permission Certiftcate(s) 

For the recited feature of a tertiary CA providing pennission certificatc(s) to the terminal 
(aforementioned feature (ii)), then, the Examiner cites a passage of Gasser directed to providing 
delegation certificates to workstations to speak for other workstations or users, citing column 13, 
line 23 - column 14, line 5. As indicated above, Gasser discloses that a user can authorize a 
workstation to speak on the user's behalf via a delegation certificate provided by the xiser to that 
workstation. Again, similar to the provision of certificates to the workstation to authenticate the 
user, Gasser does not teach or suggest that the delegation certificate is provided to the 
workstation based upon based upon characteristic(s) of the workstation at a position in the 
organization, similar to the pennission certifioale(s) of the claimed invention. Rather, the 
delegation certificate is provided to authorize the workstation to speak on the user's behalf, 
irrespective of any characteristic(s) of the workstation. Further, Gasser does not teach or suggest 
the user providing delegation certificate(s) to sub-groups of workstations, similar to the provision 
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of permission certificate(s) within the orgamzation of the claimed invention. The user may 
provide a delegation certificate to a workstation, which itself provides that coiificate and another 
delegation certificate to an intermediary woricstation. Even in that instance, hovrever, each entity 
provides delegation certificate(s) only to its most immediately adjacent workstation in the chain 
of comjuunication, as opposed to providing delegation certificate(s) to a sub-group of 
workstations, similar to the claimed invention. 

C Authenticating a Terminal Based on Identity, Role and Permission Certificates 
Finally, for the recited feature of authenticating the terminal based upon an identity 
certificate, the role certificate(s) and the permission certificate(s) (aforementioned feature (iii)), 
the Official Action again cites the passage of Gasser directed to delegation cejtificates, and 
particularly column 14, lines 5-18. Again, as explained above, Gasser discloses that in ammiber 
of situations, a user may desire to access the resources of a workstation Ws via workstations Wl 
and W2. In those situations, after providing delegation certificates Dl and D2 to workstations 
Wl and W2, respectively, workstation W2 requests access to the resource of ^vorkstation Ws 
using delegation certificates Dl and D2, and the authentication certificate of user P, to establish 
the authority of user P (via workstations Wl and W2) to access the resource of workstation Ws. 
Initially, it should be noted that the certificate of Gasser being attributed to the role certificate 
appears to more accurately correspond to the recited identity certificate. And with both 
delegation certificates Dl and D2 being provided to workstations Wl and W2, respectively, on 
the same basis (i.e., grant authority to speak on behalf of an immediately preceding principal), 
Oasser at best discloses two types of certificates upon which an entity is authenticated to access 
the resources of another principal* The claimed invention, on the other hand, authenticates an 
entity based upon three types of certificates, i.e., identity certificate, role certificate and 
permission certificate. 

The Official Action appears to equate delegation certificates Dl and D2 to role and 
permission certificates, respectively. As disclosed by Gasser, delegation certificate Dl is 
provided by the user to workstation Wl, and delegation certificate D2 is provided by workstation 
Wl to another workstation W2. In accordance with the claimed invention, however, the role and 
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permission certificates are both provided to the same, recited terminal. Applicant notes that 
Gasser does disclose that workstation Wl passes its delegation certificate Dl to workstation W2 
along with the delegation certificate D2 for workstation W2. Even considering this aspect of 
Gasser, however, delegation certificates Dl and D2 still cannot reasonably correspond to the 
recited role and permission certificate(s). In this regard, although workstation Wl passes both 
delegation certificates Dl and D2 to workstation W2, only delegation certificate D2 is passed 
with any basis to workstation W2 (i.e., authorizing W2 to speak on behalf of Wl); delegation 
certificate Dl, as indicated above, merely authorizing Wl to speak onbehalf of user P, In 
accordance with the claimed invention^ however, both the role and permission certificates are 
provided with basis to the recited terminal, the role certificate(s) being provided based upon 
position(s) of the terminal, and the pemiission certificate(s) being provided based upon 
chaTacteristic(s) of the terminal. 

Accordingly, Applicant respectfully submits that the claimed invention of independent 
Claim 1 , and by dependency Claims 2-6, is patentably distinct fix>m Gasser. Applicant also 
respectfully submits that independent Claims 7 and 13 recite subject matter similar to 
independent Claim 1. For example, independent Claims 7 and 13 recite providing a role 
certificate and a permission certificate, and authenticating a terminal based upon those 
certificates as well as an identity certificate. Accordingly, Applicant respectfiiUy submits that 
the claimed invention of independent Claims 7 and 13, and by dependency Claims 8-12 and 14- 
18, is patentably distinct from Gasser for at least the same reasons given above with respect to 
independent Claim 1, Applicant therefore respectfully submits that the rejection of independent 
Claims 1, 7 and 13 under 35 U.S.C. § 102(b) as being anticipated by Gasser is overcome. 
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CONCLUSION 



In view of the remarks presented above. Applicant respectfully submits that the present 
application is in condition for allowance. As such, the issuance of a Notice of Allowance is 
tfierefore respectfully requested. In order to expedite the examination of the present application, 
the Examiner is encouraged to contact Applicant's undersigned attorney in order to resolve any 
remaining issues. 

It is not believed that extension$ of time or fees for net addition of claims are required, 
beyond those that may otherwise be provided for in documents accompanying this paper. 
However, in the event that additional extensions of time are necessary to allow consideration of 
this paper, such extensions axe hereby petitioned under 37 CFR § 1.136(a), and any fee required 
therefore (including fees for net addition of claims) is hereby authorized to be charged to Deposit 
Account No. 16-0605. 
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